Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 20:18
Static task
static1
Behavioral task
behavioral1
Sample
Scan SOA.exe
Resource
win7-20220414-en
General
-
Target
Scan SOA.exe
-
Size
500KB
-
MD5
e69167de6d19a41819f25de01cd10aef
-
SHA1
c302c06e1cb00e72013b0671ba0db1a541673289
-
SHA256
4863509ff407e4a6389305b5555bc804aa5df9b67290feeb1e36bf68f40696e1
-
SHA512
73ec2711e5c3076fee07a03db0289887946a66d3f6656ece5a12db6ad672424368a6e9b5feb339b97a8cec63bf3869b8062f90335fb58e99a9894ef0afa742e1
Malware Config
Extracted
xloader
2.8
nmd2
FNWENUOMqqSv0Q==
ls6DEbQ1KBCeSsvUyRg=
mwgrjwpFplaykGoT
Uzzj8yXi13iLMnNGZcnViQliwA==
T7vzj0l0lqquyA==
csHzBjwvF7rmjcmWxjThd61NuuVl4gQ=
YaXyTwg3p1vrf/n9kYJQjrc=
cHAfFEI1JKDF4mTsGjDbeg==
TdDv+o9VSFep3wgTtY0swqQ=
Jw66vdyXdRZG9jJZycLD
icGvsuKZgXNid1M=
6m6H0GvguY+vZZpcioudbQ==
kNUBYMuymhgm2b0q3bEAiQliwA==
M3SiAXRbVe0XAsxDOIp6cg==
+eWLk+HjRRe3LuyavQ==
753R3QYD8XOWtWI0ouGpYw==
dRg+bQZ6TSbC8Sbs2mXXxLM=
kDlUsE+U7Y/RfUQ=
oENlcFZVqqSv0Q==
HCC+nbachxEs1f29GjDbeg==
ctsJlTxo3LFbK0RZycLD
VAV965YJquX+b2gE
wUpcvG0A0kxkhA6dsxec/Ufb
+Kzh3Pz/WTFKLuyavQ==
5IBvVoiTqqSv0Q==
qhS7ELozBsxWGdGNLWXXxLM=
sIdm8Gid7Y/RfUQ=
o9jFl8KnrZEe2UrO2mXXxLM=
eecJaOIceBS8YCLfz2XXxLM=
wvauO+RYyniHRncupG0Ten2V2PDf
meDvRhWM7I/RfUQ=
LlL2kO+2mQQBt6Mbi3M85yXR
/5hqNCjixE1T+DRZycLD
mghXL0b5y1BTAeKFZgcVnbs=
vpRLqCgVpBo+
MhWVgapZL/AkxgTV9WAniQliwA==
G1w14UrRoHGpQ2UVK4BOy+cryA==
Xfjtvd7Rx2B9KWsoP7tp2dGrHmR49g==
YV3YuM5Fbwwp
6l5Yu2CUBLdfCsCe1E47UUFRqOVl4gQ=
zvsbe+zuUwGeQ8vUyRg=
1cI0GBeUfY/RfUQ=
nWgfnkDEUGOJLuyavQ==
0bosGEv++89jmJdZycLD
k55xymOPqqSv0Q==
9Vo/hSEVpBo+
Goh71Ec2I5igPHhLh/mfMmK1d4RK4BA=
ejin8nSfnQonPPibLWXXxLM=
yQUskS2vGpw=
YCbKnMOAcS5Y+zBZycLD
UsS4CoF4lqquyA==
FpSWpcVFbwwp
vFSrpMeaqqSv0Q==
tFR01kVKp0L6IRiD9c7Of5Gus1L3/g==
yr44IihjQHNid1M=
2VRJm0F25df4EZY9bdXViQliwA==
jm/jvLpEJfmbUfbOAH5IaYmZTuVl4gQ=
iYId/jAYAao9W1Oz20NHfcakEBY=
tiUNWfcurI6YSYQ5U7m4ysDQLVBMgdA6iw==
ZeixX31Fbwwp
7FBmslXBOQwbzrIwoXNBiQliwA==
VVr3w7qAY8/hAH5hZsDU
vDlm1IsR5KjVf276e18NPWGBTOVl4gQ=
IxGhEq722C9Yfbn6GjDbeg==
gelasbeauty.com
Signatures
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1808-62-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1808-63-0x000000000041F650-mapping.dmp xloader behavioral1/memory/1808-65-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1808-73-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1916-76-0x0000000000080000-0x00000000000AC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wlanext.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LNUPD = "C:\\Program Files (x86)\\Lshl\\userkptdv418.exe" wlanext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlanext.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Scan SOA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation Scan SOA.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1500 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Scan SOA.exeScan SOA.exewlanext.exedescription pid process target process PID 1852 set thread context of 1808 1852 Scan SOA.exe Scan SOA.exe PID 1808 set thread context of 1384 1808 Scan SOA.exe Explorer.EXE PID 1808 set thread context of 1384 1808 Scan SOA.exe Explorer.EXE PID 1916 set thread context of 1384 1916 wlanext.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wlanext.exedescription ioc process File opened for modification C:\Program Files (x86)\Lshl\userkptdv418.exe wlanext.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
Scan SOA.exewlanext.exepid process 1808 Scan SOA.exe 1808 Scan SOA.exe 1808 Scan SOA.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Scan SOA.exewlanext.exepid process 1808 Scan SOA.exe 1808 Scan SOA.exe 1808 Scan SOA.exe 1808 Scan SOA.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe 1916 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Scan SOA.exewlanext.exedescription pid process Token: SeDebugPrivilege 1808 Scan SOA.exe Token: SeDebugPrivilege 1916 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE 1384 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE 1384 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Scan SOA.exeExplorer.EXEwlanext.exedescription pid process target process PID 1852 wrote to memory of 1808 1852 Scan SOA.exe Scan SOA.exe PID 1852 wrote to memory of 1808 1852 Scan SOA.exe Scan SOA.exe PID 1852 wrote to memory of 1808 1852 Scan SOA.exe Scan SOA.exe PID 1852 wrote to memory of 1808 1852 Scan SOA.exe Scan SOA.exe PID 1852 wrote to memory of 1808 1852 Scan SOA.exe Scan SOA.exe PID 1852 wrote to memory of 1808 1852 Scan SOA.exe Scan SOA.exe PID 1852 wrote to memory of 1808 1852 Scan SOA.exe Scan SOA.exe PID 1384 wrote to memory of 1916 1384 Explorer.EXE wlanext.exe PID 1384 wrote to memory of 1916 1384 Explorer.EXE wlanext.exe PID 1384 wrote to memory of 1916 1384 Explorer.EXE wlanext.exe PID 1384 wrote to memory of 1916 1384 Explorer.EXE wlanext.exe PID 1916 wrote to memory of 1500 1916 wlanext.exe cmd.exe PID 1916 wrote to memory of 1500 1916 wlanext.exe cmd.exe PID 1916 wrote to memory of 1500 1916 wlanext.exe cmd.exe PID 1916 wrote to memory of 1500 1916 wlanext.exe cmd.exe PID 1916 wrote to memory of 880 1916 wlanext.exe Firefox.exe PID 1916 wrote to memory of 880 1916 wlanext.exe Firefox.exe PID 1916 wrote to memory of 880 1916 wlanext.exe Firefox.exe PID 1916 wrote to memory of 880 1916 wlanext.exe Firefox.exe PID 1916 wrote to memory of 880 1916 wlanext.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan SOA.exe"C:\Users\Admin\AppData\Local\Temp\Scan SOA.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan SOA.exe"{path}"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Scan SOA.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1384-68-0x0000000004AE0000-0x0000000004C3B000-memory.dmpFilesize
1.4MB
-
memory/1384-80-0x0000000004C40000-0x0000000004DB2000-memory.dmpFilesize
1.4MB
-
memory/1384-79-0x0000000004C40000-0x0000000004DB2000-memory.dmpFilesize
1.4MB
-
memory/1384-71-0x0000000003B70000-0x0000000003C46000-memory.dmpFilesize
856KB
-
memory/1500-74-0x0000000000000000-mapping.dmp
-
memory/1808-60-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1808-73-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1808-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1808-63-0x000000000041F650-mapping.dmp
-
memory/1808-65-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1808-66-0x0000000000C70000-0x0000000000F73000-memory.dmpFilesize
3.0MB
-
memory/1808-67-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1808-59-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1808-70-0x00000000003C0000-0x00000000003D1000-memory.dmpFilesize
68KB
-
memory/1852-58-0x0000000000AB0000-0x0000000000AE2000-memory.dmpFilesize
200KB
-
memory/1852-54-0x0000000000BE0000-0x0000000000C64000-memory.dmpFilesize
528KB
-
memory/1852-57-0x0000000006150000-0x00000000061D0000-memory.dmpFilesize
512KB
-
memory/1852-56-0x00000000009D0000-0x00000000009DA000-memory.dmpFilesize
40KB
-
memory/1852-55-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1916-72-0x0000000000000000-mapping.dmp
-
memory/1916-75-0x00000000003F0000-0x0000000000406000-memory.dmpFilesize
88KB
-
memory/1916-76-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/1916-77-0x0000000001E70000-0x0000000002173000-memory.dmpFilesize
3.0MB
-
memory/1916-78-0x0000000001D10000-0x0000000001DA0000-memory.dmpFilesize
576KB